If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

1. I assumed that you first connect to the database
2. then you need to have a "county" record in your "mydatase" table.
3. then its just a matter of setting the county to whatever you are trying to evaluate, assuming that is taken from the user you could use something like.

PHP Code:

$county = trim(htmlspecialchars($_POST['county']));

....connect to database....mysql_query("SELECT * FROM 'mydatabase' WHERE county='$county'") or die("The ". mysql_error() . " error occured, and the query couldn't be performed");

making 2 assumptions, 1 = your form method is "post" and your form = "county"
if your form method is "get use $_GET[] and you can just rename the "county" inside if thats different as well

Quite true, but the above is not the way to go about providing protection. Always use the database-specific escaping function before building a query from user input. This will account for any syntactic quirks that may be present. For MySQL, this is the mysql_real_escape_string or mysqli_real_escape_string functions, or real_escape_string method (depending upon the extension used).

The point of escaping values before inserting them into queries is to prevent injection attacks (intentional or otherwise). This requires escaping characters that are special in SQL. However, the htmlspecialchars function is designed to convert characters that are special to HTML into entity or character references. That isn't the same thing. Furthermore, comparing an entity reference of a character with the character itself clearly won't result in equality, therefore queries that should succeed may actually fail.

Do I still need to use this method if the user input is coming from a select option?

Absolutely. Never trust anything that originates from the client. A form can be edited before submission to corrupt the values of fields that you might otherwise consider read-only.

There is nothing wrong with paranoia when it comes to server-side security. Whilst you might not be a direct target of malicious users, it doesn't hurt to be cautious and applying good security practices should become second nature.

The point of escaping values before inserting them into queries is to prevent injection attacks (intentional or otherwise). This requires escaping characters that are special in SQL. However, the htmlspecialchars function is designed to convert characters that are special to HTML into entity or character references.

That is why I told him to sanitize it, so he didn't have the injection problem; wouldn't you still need to sanitize the html content though? or do those functions provide that support?

Originally Posted by mwinter

Absolutely. Never trust anything that originates from the client. A form can be edited before submission to corrupt the values of fields that you might otherwise consider read-only.

ABSOLUTELY! someone with mal-intent could create a form on their own system but instead of using your "select" values they would input something else in place that would attempt to compromise your server.

Originally Posted by mwinter

There is nothing wrong with paranoia when it comes to server-side security. Whilst you might not be a direct target of malicious users, it doesn't hurt to be cautious and applying good security practices should become second nature.

often times it is users that have good intention that will break the system, and even if he/she didnt mean to do damage this person could.

Hosts, usually provide some type of security themselves as it is their physical
machine, however the extent of the security, is never something to rely on. If you do your own sanitation at the very most, they will have adequate security themselves, and the content would be sanitized twice; dont have security even ONCE say good bye to your website, and probably the server thats hosting it.

If, for example, the OP was to take data from the database to display in a response, that would be a good time to run it through the htmlspecialchars function if the data could contain special characters, especially quotes (single ['] and double ["]), less-than symbols (<), and ampersands (&).